PCI DSS: is the cure worse than the disease?

Complying with the Payment Card Industry Data Security Standard (PCI DSS) is prohibitively expensive, and the cost of compliance bears very little relation to the cost of a breach, according to Dave Birch, director of IT consultancy Consult Hyperion.

Complying with the Payment Card Industry Data Security Standard (PCI DSS) is prohibitively expensive, and the cost of compliance bears very little relation to the cost of a breach, according to Dave Birch, director of IT consultancy Consult Hyperion.

Speaking at a Westminster eForum on the future of digital payments, Birch said that, while data driven identity fraud accounts for the overwhelming majority UK fraud, PCI DSS may not be the best solution in the long term.

“The cost of PCI DSS compliance has turned out to be a cure that's worse than the disease,” said Birch. “It's not transparently obvious to me that it makes sense to continue it indefinitely far into the future. I think PCI needs as much of a rethink as the payments security itself does.”

However, Jeremy King, European director of the PCI Security Standards Council defended the standard, claiming that the average cost per record of cardholder data lost in the UK is £79 per record.

If a company suffered a breach of 50,000 records – which is relatively small – it would therefore cost them £4 million. By comparison, the cost of PCI DSS is somewhere between $3 million and $4 million, depending on the size of the company.

King said that PCI DSS is not just about protecting a company's revenues but also their reputation. He pointed to the likes of Sony and Heartland, which suffered significant brand damage following their high-profile data breaches.

“The most important cost to you when you're breached is your brand reputation. The cost of putting your brand back together again is far more significant and far outweighs the cost of the breach,” he said.

But Birch argued back, claiming that the stock prices of these companies were unaffected by the data breaches. He also said that the costs incurred by Sony and Heartland were primarily in the form of fines from regulators and payments processors, rather than as a result of fraud.

“I'm unaware of any accurate supported statistical correlation between those losses and any actual card fraud,” he said.

King said that organisations are increasingly adopting a risk-based approach to PCI DSS, so they can meet the requirements in stages rather than all in one go. This should make the process of compliance a lot simpler.

It will also help organisations prepare for the European Data Protection Directive, which will regulate the processing of personal data within the European Union.

“The Data Protection Directive has some significant challenges and requirements around customer data that are going to make PCI look like a walk in the park,” said King.

“If you have got to protect all of your customer data, that means significantly more work; and if you're then required to notify your information commissioner within 24 hours of a breach, that's going to be a challenge; and if the data commissioner can then have the opportunity to fine you 2 percent of your global turnover, then that is not just the card schemes that are giving you fines.”

Kiron Farooki, partner at Bond Pearce law firm, pointed out that some insurance companies are already responding to the European Data Protection Directive by providing “cyber insurance” that will allow businesses and retailers to spread out the cost of insurance over time.

However, Birch maintained that a more cost-effective solution is needed.

“You're never going to get the cost reductions that everybody needs, we have to rethink it, and I think looking at these more identity-centric ways is the way forward,” he said.

“We have to work with a proper identity infrastructure, which isn't something to do with payments or banks, it's a cross-sector thing.”